ľֱ

Bill Exposes Where Health Data Protections Lag

— It's not just period tracker apps: patient health data frequently vulnerable

Last Updated March 20, 2023
MedpageToday
A photo of a young woman using a period tracker application on her smartphone.

Period tracker apps have been a recent focus of health data privacy issues, but a bill in Washington state calls attention to other areas in technology where patient health information is at risk.

The bill, proposed earlier this year and referred to as the "", exposes where HIPAA protections end and how digital health companies are able to use, share, and sell patient health information.

"This act works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data," it states.

Proposed protections include prohibiting the sale of health data, requiring disclosure of data collection and sharing, allowing consumers to have their health data deleted, and banning geofences around facilities that provide in-person healthcare services.

Personal health data collected by HIPAA-covered entities, such as most healthcare professionals, maintains federal protections, and is labeled protected health information, or PHI. However, data collected by apps and websites that are not covered entities or business associates are not protected by HIPAA -- leaving information about patients' diagnoses, tests, prescriptions, and location vulnerable, according to Andrew Mahler, vice president of privacy and compliance at the cybersecurity and compliance consulting firm Clearwater.

Mahler said more people have questions about what constitutes PHI and how their health data is at risk, in light of last year's Supreme Court decision that eliminated federal abortion rights.

"Any health data that is being acquired, maintained, received or used by a covered entity -- if it's individual identifiable health information, it's protected by HIPAA," Mahler told ľֱ. "Even though you might be sending it from your personal device, which isn't protected, once it's received by the covered entity, it would be at least broadly speaking, considered PHI and would be protected by HIPAA."

On the other hand, Mahler said, HIPAA protections don't always apply. Telehealth visits, for instance, aren't always or completely covered by HIPAA.

"If it's a telehealth provider that doesn't meet the definition of a covered entity or business associate, then HIPAA is not going to apply to them. State laws could, but HIPAA won't," Mahler said.

For instance, counselors who don't bill insurance but provide telehealth may not be a covered entity, he said.

Period tracking and fertility apps collect information about the user's menstrual cycle, age, sex life, and birth control use. Different apps are not equally secure at protecting user data. For instance, analyzed period tracking apps that tout privacy and found that few apps met their standards for security. Their criteria included having localized data storage, which keeps data on your personal device rather in the cloud, as well as not having third-party trackers.

These security measures aren't bulletproof, though. Particularly in states that have strict abortion laws, the risk for data breaches -- and unintentional data sharing -- is real.

In addition, law enforcement and the government can access a person's search history, location, and messages to gain information on them, which is risky for patients in states with abortion restrictions.

"I think it's important for physicians to feel empowered that they're not actually allowed to present certain types of information to law enforcement," Mahler said. "It's also important for people to think about how they're protecting patients that are in their care. And part of that care includes information about that patient's care."

Technology companies including Google and Meta have been criticized for handing over user data to law enforcement, such as in the , a Nebraska teenager who was charged with five crimes after her Facebook direct messages about having an illegal abortion were given to law enforcement.

Ron Li, MD, medical informatics director for digital health at Stanford Health Care, said part of an individual's risk comes from the sheer amount of personal data patients intentionally and unintentionally share.

"In our society, so much of our lives are captured by digital data -- and that data can actually end up in spaces that you'd never expect," Li told ľֱ. "Any health app that collects information about your health, that is not covered by HIPAA, would probably be at risk."

  • author['full_name']

    Rachael Robertson is a writer on the ľֱ enterprise and investigative team, also covering OB/GYN news. Her print, data, and audio stories have appeared in Everyday Health, Gizmodo, the Bronx Times, and multiple podcasts.